我在这里看到了几个关于类似问题的其他问题 - 但我还没有找到真正适合我的东西。
我的目标是针对 UCS(OpenLDAP)目录对所有 Debian 机器进行身份验证(主要针对 SSH)- 将来只有当用户是特定 ldap 组的成员时才进行身份验证。但我目前正在努力让它在没有组成员身份的情况下工作。
我总是收到错误:
nslcd: [7b23c6] <authc="test"> DEBUG: ldap_sasl_bind("uid=test,cn=users,dc=securitywho,dc=local","***") (uri="ldap://ldap.securitywho.local") (ppolicy=yes)
nslcd: [7b23c6] <authc="test"> DEBUG: ldap_parse_result() result: Invalid credentials
nslcd: [7b23c6] <authc="test"> DEBUG: failed to bind to LDAP server ldap://ldap.securitywho.local: Invalid credentials
nslcd: [7b23c6] <authc="test"> DEBUG: ldap_unbind()
nslcd: [7b23c6] <authc="test"> uid=test,cn=users,dc=securitywho,dc=local: Invalid credentials
nslcd: [7b23c6] <authc="test"> DEBUG: myldap_search(base="cn=users,dc=securitywho,dc=local", filter="(&(objectClass=*)(uid=test))")
nslcd: [7b23c6] <authc="test"> DEBUG: ldap_result(): uid=test,cn=users,dc=securitywho,dc=local
绑定用户正在工作,我确实用 ldapsearch 命令检查了所有内容 - 绑定用户的一切工作正常,如果我使用了错误的密码,调试会显示绑定功能不起作用的错误。
使用 Ldapsearch - 并且它正在工作:
ldapsearch -x -H ldap://ldap.securitywho.local -D "uid=srv_linux,cn=users,dc=securitywho,dc=local" -b cn=users,dc=securitywho,dc=local -W
输出内容摘录:
# test, users, securitywho.local
dn: uid=test,cn=users,dc=securitywho,dc=local
krb5MaxLife: 86400
krb5MaxRenew: 604800
uid: test
uidNumber: 2008
sn: test
gecos: test
displayName: test
homeDirectory: /home/test
loginShell: /bin/bash
mailForwardCopyToSelf: 0
cn: test
krb5PrincipalName: [email protected]
shadowLastChange: 18992
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
sambaAcctFlags: [U ]
objectClass: shadowAccount
objectClass: top
objectClass: sambaSamAccount
objectClass: automount
objectClass: univentionPWHistory
objectClass: person
objectClass: krb5KDCEntry
objectClass: univentionObject
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: univentionMail
objectClass: posixAccount
sambaSID: S-1-5-21-258973841-725078507-1497259816-5016
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-258973841-725078507-1497259816-513
univentionObjectType: users/user
为了验证我的 testuser 是否正常工作,我使用 testuser 运行了 ldapsearch 命令 - 这里的一切都正常工作。我使用 OpenLDAP 目录中的几个帐户检查了这一点,所有帐户都在这里正常工作,但当我尝试使用 SSH 时,没有一个帐户正常工作。
ldapsearch -x -H ldap://ldap.securitywho.local -D "uid=test,cn=users,dc=securitywho,dc=local" -b cn=users,dc=securitywho,dc=local -W
配置 /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://ldap.securitywho.local
# The search base that will be used for all queries.
base cn=users,dc=securitywho,dc=local
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn uid=srv_linux,cn=users,dc=securitywho,dc=local
bindpw <SUPERSECUREPASSWORD>
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
#tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub
filter passwd (objectClass=*)
map passwd uid uid
filter shadow (objectClass=*)
map shadow uid uid
nslcd 的完整调试输出:
root@ipam:~# nslcd -d
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.11
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid nslcd
nslcd: DEBUG: CFG: gid 117
nslcd: DEBUG: CFG: uri ldap://ldap.securitywho.local
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn uid=srv_linux,cn=users,dc=securitywho,dc=local
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: base cn=users,dc=securitywho,dc=local
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectClass=*)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=*)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: pam_authc_ppolicy yes
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert demand
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_uid_offset 0
nslcd: DEBUG: CFG: nss_gid_offset 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: pam_authc_search BASE
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: version 0.9.11 starting
nslcd: DEBUG: initgroups("nslcd",117) done
nslcd: DEBUG: setgid(117) done
nslcd: DEBUG: setuid(110) done
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=896662 uid=0 gid=0
nslcd: [8b4567] <authc="test"> DEBUG: nslcd_pam_authc("test","sshd","***")
nslcd: [8b4567] <authc="test"> DEBUG: myldap_search(base="cn=users,dc=securitywho,dc=local", filter="(&(objectClass=*)(uid=test))")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_initialize(ldap://ldap.securitywho.local)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_simple_bind_s("uid=srv_linux,cn=users,dc=securitywho,dc=local","***") (uri="ldap://ldap.securitywho.local")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_result(): uid=test,cn=users,dc=securitywho,dc=local
nslcd: [8b4567] <authc="test"> DEBUG: myldap_search(base="uid=test,cn=users,dc=securitywho,dc=local", filter="(objectClass=*)")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_initialize(ldap://ldap.securitywho.local)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_sasl_bind("uid=test,cn=users,dc=securitywho,dc=local","***") (uri="ldap://ldap.securitywho.local") (ppolicy=yes)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_parse_result() result: Invalid credentials
nslcd: [8b4567] <authc="test"> DEBUG: failed to bind to LDAP server ldap://ldap.securitywho.local: Invalid credentials
nslcd: [8b4567] <authc="test"> DEBUG: ldap_unbind()
nslcd: [8b4567] <authc="test"> uid=test,cn=users,dc=securitywho,dc=local: Invalid credentials
nslcd: [8b4567] <authc="test"> DEBUG: myldap_search(base="cn=users,dc=securitywho,dc=local", filter="(&(objectClass=*)(uid=test))")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_result(): uid=test,cn=users,dc=securitywho,dc=local
我尝试在 /etc/nslcd.conf 中尝试“搜索范围”,但没有任何组合能够使其工作。我目前没有看到任何配置问题 - 有人遇到同样的问题或可以帮助我吗?我安装了所有东西:
apt-get install libpam-ldapd
答案1
又过了几个小时,wireshark 调试显示 BIND 用户的 BIND 请求已正确发送到 ldapserver(使用简单身份验证的 BIND --> 无加密)。但我的测试用户没有将真实密码发送到 ldap 服务器,这意味着身份验证未成功。--> 使用 SSH 完成测试。
我尝试登录到本地控制台并发现,就 nslcd 调试而言,登录现在已成功 - 但 /var/log/auth.log 显示:
Jan 1 14:01:43 ipam login[489]: pam_unix(login:auth): check pass; user unknown
Jan 1 14:01:43 ipam login[489]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Jan 1 14:01:43 ipam login[489]: pam_unix(login:account): could not identify user (from getpwnam(test))
Jan 1 14:01:43 ipam login[489]: Authentication failure
但是现在一切都运行正常 - 我该如何修复它?-->重新启动。
无需进行更多配置更改,我在初始帖子中的配置是正确的,现在运行良好。